Brazil’s data protection law, Lei Geral de Proteção de Dados (LGPD) (English translation available here), took a significant step forward on August 26, 2020, when the Brazilian Senate rejected the Chamber of Deputies’ proposal to postpone the LGPD’s effective date until December 31, 2020. The Senate also adopted a proposal to give the core provisions of the LGPD immediate effect, subject to the President’s approval.
As soon as the LGPD takes effect, organizations that violate certain provisions of the LGPD may be subject to private lawsuits and public prosecutor enforcement actions brought under other Brazilian statutes. The administrative sanctions provisions of the LGPD take effect on August 1, 2021.
If the President explicitly approves the proposal, the LGPD’s core provisions will take immediate effect. Alternatively, if the President does not veto the Senate proposal within 15 business days after receiving it from the Senate, the proposal and the LGPD’s core provisions will take effect on September 16, 2020, once the 15 business day period lapses.
In another development signaling the LGPD’s forward momentum, President Bolsonaro issued Decree 10,474 on August 26, 2020, which establishes the governance structure of the Brazilian data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD).
The Decree assigns to the ANPD responsibility for various data protection activities, including ensuring the protection of personal data, developing guidelines under the LGPD, investigating and enforcing against violations of data protection, and cooperating with data protection authorities in other countries.
For a summary of the LGPD and its requirements, see our previous post here.